Working with Cookies

Introduction

This article presents a way to send some cookies to a client's browser from an ISAPI extension. An easy way to retrieve and visualize those cookies is also provided.

What is a cookie? A cookie is a small packet of information used to store persistent state information on the user's computer. Cookies are the means by which, under HTTP protocol, a server or a script can maintain state information on the client's workstation.

The Cookie header is included with any HTTP requests that have a cookie and whose domain and path match the request.

HTTP cookies provide the server with a mechanism to store and retrieve state information on the client application's system. This mechanism allows Web-based applications the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later.

Cookie-Related Headers

There are two HTTP headers, Set-Cookie and Cookie, that are related to cookies. Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. Cookie header is included by the client application with an HTTP request sent to a server if there is a cookie that has a matching domain and path.

Set-Cookie Header

One or more string sequences (separated by semicolons) that follow the pattern <name>=<value> must be included in the Set-Cookie response header. The server can use these string sequences to store data on the client's system.

The expiration date is set by using the format =<date>, where <date> is the expiration date in Greenwich Mean Time (GMT). If the expiration date is not set, the cookie expires after the Internet session ends. Otherwise, the cookie is persisted in the cache until the expiration date. The date must follow the format DAY, DD-MMM-YYYY HH:MM:SS GMT, where DAY is the day of the week (Sun, Mon, Tue, Wed, Thu, Fri, Sat), DD is the day in the month (such as 01 for the first day of the month), MMM is the three-letter abbreviation for the month (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec), YYYY is the year, HH is the hour value in military time (22 would be 10:00 P.M., for example), MM is the minute value, and SS is the second value.

Specifying the domain name, using the pattern domain=<domain_name>, is optional for persistent cookies and is used to indicate the end of the domain for which the cookie is valid. Session cookies that specify a domain are rejected. If the specified domain name ending matches the request, the cookie tries to match the path to determine whether the cookie should be sent. For example, if the domain name ending is .microsoft.com, requests to home.microsoft.com and support.microsoft.com would be checked to see whether the specified pattern matches the request. The domain name must have at least two or three periods in it to prevent cookies from being set for widely used domain name endings, such as .com, .edu, and co.jp. Allowable domain names would be similar to .microsoft.com, .someschool.edu, and .someserver.co.jp. Only hosts within the specified domain can set a cookie for a domain.

Setting the path, using the pattern path=<some_path>, is optional and can be used to specify a subset of the Uniform Resource Locators (URLs) for which the cookie is valid. If a path is specified, the cookie is considered valid for any requests that match that path. For example, if the specified path is /example, requests with the paths /examplecode and /example/code.htm would match. If no path is specified, the path is assumed to be the path of the resource associated with the Set-Cookie header.

The cookie can also be marked as secure, which specifies that the cookie can be sent only to HTTPS servers.

Cookie Header

The Cookie header is included with any HTTP requests that have a cookie whose domain and path match the request. The Cookie header has the following format:

Cookie: <name>=<value> [;<name>=<value>]...

One or more string sequences, using the format <name>=<value>, contain the information that was set in the cookie.

Sample Cookie Header

Storing Cookies

Netscape Navigator stores cookies in a different fashion than Internet Explorer, though it captures the same material from the server. Instead of storing each cookie in its own file, as Internet Explorer does (see for yourself, as your cookies are typically stored in a directory named "Temporary Internet Files" in your Windows system folder),

Netscape Navigator stores every cookie inside a single file called cookies.txt. (If you're using Nav3, cookies.txt is typically in the C:\Program Files\Netscape\Nav3 directory; Nav4 stores its cookies according to the registered computer user file—in my case, C:\Program Files\Netscape\Users\user.)

Functionality

The Default method loads a simple form on the browser; the user is able to put what cookie name/value pair he wants on it. All jobs are done in the GetCookie method. To be able to write the cookies' values on the client machine, you must inform the IIS server not to write its own headers:

//Turn off sending header by MFC.
pCtxt->m_bSendHeaders = FALSE;

The headers that will contain the cookies will be written on the client computer by our program, using the ServerSupportFunction HTTP function:

Top White Papers and Webcasts

Live Event Date: March 19, 2015 @ 1:00 p.m. ET / 10:00 a.m. PT
The 2015 Enterprise Mobile Application Survey asked 250 mobility professionals what their biggest mobile challenges are, how many employees they are equipping with mobile apps, and their methods for driving value with mobility.
Join Dan Woods, Editor and CTO of CITO Research, and Alan Murray, SVP of Products at Apperian, as they break down the results of this survey and discuss how enterprises are using mobile application management and private …

According to technology research firm Gartner, cloud computing will become the bulk of new IT spend by 20161. By the end of 2017, Gartner predicts that nearly half of large enterprises will have hybrid cloud deployments1. Learn how you can use these trends to your advantage by offering cloud and hybrid data solutions to your customers.